Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 239130 (CVE-2008-3827)

Summary: media-video/mplayer <1.0_rc2_p27725-r1 Real demuxer heap overflow (CVE-2008-3827)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: media-video
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.ocert.org/advisories/ocert-2008-013.html
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 241110    
Bug Blocks:    
Attachments:
Description Flags
The patch was released.. none

Description Stefan Behte (RETIRED) gentoo-dev Security 2008-09-30 10:05:40 UTC
Description:

The MPlayer multimedia player suffers from a vulnerability which could result in arbitrary code execution and at the least, in unexpected process termination.

Three integer underflows located in the Real demuxer code can be used to exploit a heap overflow, a specific video file can be crafted in order to make the stream_read function reading or writing arbitrary amounts of memory.

The following patch fixes the issues:
http://www.ocert.org/patches/2008-013/mplayer_demux_real.patch
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-09-30 16:37:33 UTC
apparently this is fixed in r27675, mplayer/trunk/libmpdemux/demux_real.c
Comment 2 Leo Jackson 2008-09-30 20:51:17 UTC
Created attachment 166868 [details, diff]
The patch was released..

This was from the Maintainers
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-10-04 18:42:26 UTC
Can we get either stable an mplayer that has this and bug 231836 fixed, or apply the two patches onto our current stable?
Comment 4 Steve Dibb (RETIRED) gentoo-dev 2008-10-07 01:57:32 UTC
mplayer-1.0_rc2_p27725 in the tree
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-18 23:33:31 UTC
I see that mplayer-1.0_rc2_p27725-r1 is in the tree, does
https://bugs.gentoo.org/show_bug.cgi?id=241110 still need to be fixed? I'd like to get this thing into stable.
Comment 6 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-19 09:50:59 UTC
Arches, please test and mark stable:
  =media-video/mplayer-1.0_rc2_p27725-r1

Target keywords: "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Arches which don't even have ~arch: "alpha ia64 ppc sparc"

Apparently, there are still problems w/ sparc and alpha (according to the bug in the dependencies), can you fix them beandog (or anyone from media-video)?
Comment 7 Markus Meier gentoo-dev 2008-10-19 14:30:13 UTC
this needs the following packages stable on amd64/x86 (according to repoman):
'>=media-video/dirac-0.10.0', 'media-libs/schroedinger', '>=media-libs/x264-0.0.20080406'
Comment 8 Alexis Ballier gentoo-dev 2008-10-19 14:37:33 UTC
(In reply to comment #7)
> this needs the following packages stable on amd64/x86 (according to repoman):
> '>=media-video/dirac-0.10.0', 'media-libs/schroedinger',

these should be ok

> '>=media-libs/x264-0.0.20080406'
please check stable packages from:
http://tinderbox.dev.gentoo.org/misc/rindex/media-libs/x264
against 0.0.20080819
This snapshot had been slatted just before an API change; I don't remember any specific breakage with that version, but better double check.
Note that you'll need to stabilize x264-encoder of the same version at the same time.
0.0.20081006 changes a bit the API and will break a couple of stable packages.
Comment 9 Markus Meier gentoo-dev 2008-10-19 17:12:07 UTC
amd64/x86 stable for the following packages:
=media-video/dirac-1.0.0
=media-libs/schroedinger-1.0.5
=media-libs/x264-0.0.20080819
=media-video/x264-encoder-0.0.20080819
=media-video/mplayer-1.0_rc2_p27725-r1
Comment 10 Guy Martin (RETIRED) gentoo-dev 2008-10-20 19:48:42 UTC
hppa stable
Comment 11 Markus Rothe (RETIRED) gentoo-dev 2008-10-21 17:23:09 UTC
ppc64 stable
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-30 20:08:44 UTC
ppc stable
Comment 13 Tobias Klausmann (RETIRED) gentoo-dev 2008-11-09 11:44:12 UTC
Stable on alpha. Had to mask the dxr3 USE flag due to lack of hardware for testing.
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2008-11-10 11:24:09 UTC
ia64 stable, sparc is waiting for bug 241110
Comment 15 Friedrich Oslage (RETIRED) gentoo-dev 2008-11-24 23:08:07 UTC
Sparc stable, sorry for the hold-up :(
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2008-11-29 14:09:07 UTC
request filed
Comment 17 Tobias Heinlein (RETIRED) gentoo-dev 2009-01-12 19:51:36 UTC
GLSA 200901-07. Thanks everyone, sorry about the delay.